If it was me, and policy would allow...
I would monitor the port that the border router is on. You're not
"in between" anything this way.. parallel really. I don't think there is al
ot to be gained from monitoring all the servers individually or from the
possible downside of trying to mirror many ports at once. For example,
I just monitor the ports where my firewalls hit their switches.. point being find
the "choke" point and monitor that. Hopefully they will let you do that.
If HR or whoever has policy issues, write your rulebase to ignore any hosts
they have issues with and perhaps submit your snort.conf for eval every month
or each quarter or whatever makes them happy that you're not going
KGB on them.. or give them an ACID login so they can see for themselves you
are not detecting the porn they download.. ;-)
if you can't trust the security guy, you have IMHO
some other organizational issues there.. ;-) Good luck!!
hth
Joe
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************